Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58184 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 45659 invoked from network); 27 Feb 2012 20:01:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Feb 2012 20:01:14 -0000 Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4625] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FE/73-29394-901EB4F4 for ; Mon, 27 Feb 2012 15:01:14 -0500 Received: (qmail 61670 invoked by uid 98); 27 Feb 2012 20:01:12 -0000 Received: from localhost by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.05 ( Clear:RC:1(127.0.0.1):. Processed in 0.036882 secs); 27 Feb 2012 20:01:12 -0000 Received: from localhost (HELO www.l-i-e.com) (127.0.0.1) by localhost with SMTP; 27 Feb 2012 20:01:12 -0000 Received: from webmail (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Mon, 27 Feb 2012 14:01:12 -0600 Message-ID: <139e388dc03896c57b5c36d059f23597.squirrel@www.l-i-e.com> In-Reply-To: References: Date: Mon, 27 Feb 2012 14:01:12 -0600 To: internals@lists.php.net User-Agent: SquirrelMail/1.4.21 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] RFC: PHP 6 include E_NOTICE in default php.ini From: ceo@l-i-e.com ("Richard Lynch") On Mon, February 27, 2012 1:33 pm, Kris Craig wrote: > I think it's a good idea, though I'm not sure it should be done in the > production one as well. I'm not sure, but I think these errors are > generally suppressed in production because of potential security > concerns > involved in making those errors public. I would contend that if you have any errors at any level of E_* going out over HTTP, you have done it "wrong". It is true that in the days of register_globals, the E_NOTICE going to the HTML was a gold-mine for abusers of potential security threats. But all of E_* messages are also goldmines of the same ilk. That said, > I would suggest amending the RFC so that it only applies to > php.ini-development. Other than that, I like it. If most cheap webhosts chose php.ini-development, I'd be okay with this, as it probably is not suitable for PRODUCTION environments for the experts. Unfortunately, most cheap webhosts go with php.ini-production, as they are production environments, and the unwashed masses of users of said cheap webhosts are the target audience of the proposal. As stated in the RFC, the experts can and will change their php.ini to their taste in each environment: It's the masses of users who don't even know there is a choice that are being hurt by the current default setting, writing bad code, asking questions of obvious typos that E_NOTICE would catch, and remaining un-educated for too long that they develop bad habits. Not that I think this will eliminate newbie postings. There will always be those who don't even read or comprehend the most clear error messages. But I think it will reduce the number of postings by newbies who are tripped up by the typical mistakes E_NOTICE exposes. PS I want to thank you for your reasoned response, especially given the other thread we are involved in! -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE